StudyDaddy Social Science To help you prepareThink about the data you collected, why you chose those particular data, and your data collection processes, including how you used collaboration in your process.   · After analy

To help you prepareThink about the data you collected, why you chose those particular data, and your data collection processes, including how you used collaboration in your process.   · After analy

Data security and information assurance

Assignment 4 B

Develop a “taxonomy” of DS/IA document. A taxonomy is a way of organizing something on a “group within group” basis. (Remember how the biological taxonomy is structured.) Initially, define data security and information assurance. Secondly, develop an outline of the major “elements” within the discipline of DS/IA.

A taxonomy of DS/IA.

  1. Data security (DS) is also known as information security (IS) or computer security. Data security is the act of preserving data protecting its validity, as well as keeping the secrets secret. Generally, data security involves protecting data such as a database from destructive forces and from the unwanted actions of unauthorized users. Data security also means hiding or preventing unauthorized access of data from any other entity. Data security make users secure from any unwanted activity. Data security can be referred as a protective digital privacy measures that are applied to prevent unauthorized access to computers, databases and websites.

Data security are built on three pillars. They are commonly referred to by the C-I-A acronym:

The CIA (Confidentiality, Integrity, and Availability) triad of information security is an information security benchmark model used to evaluate the information security of an organization.

  • C- Confidentiality: data is said to be confidential if it is keep from being seen to all but those authorized to use it.

Example: multi factor Authentication, IP sec

  • I- Integrity: data is said to have integrity if it remains identical to its state when the last authorized user finished with it.

Example: Hashing Algorithms:MD4, MD5, or SHA-1

  • A- Availability: data is said to be available if it is accessible by authorized user in a convenient format and with a reasonable time.

Example: Fault-tolerant disk.

Other part of C-I-A model are:

  • Identification: identifying who you claim to be

Example: Username and password.

  • Authentication: How do the system know that you are who you claim to be.

Example. Username and password, or smart card.

  • Authorization: what you can do once authenticated.

Example: biometric, fingerprint

  • Accountability: who did what, also, who pays the bills?

Example: Employees being present for their entire required shift.

Three key word in data security issues

  • Vulnerability: A point where a system is susceptible to be attacked.

Example: Sending email through a phone device not encoding.

  • Threat: A possible danger to the system. the danger might be a person (spy), a thing (faulty equipment), or natural disaster (flood, fire).

Example: Computer virus, or Trojan horse.

  • Countermeasure: techniques for protecting data.

Example: Access control.

Major Information Security Threats

  • Lack of Encryption: Protecting sensitive business data in transit and at rest is a measure few industries have yet to embrace, despite its effectiveness.

  • Third-party Entry: Cybercriminals prefer the path of least resistance. Target is the poster child of a major network attack through third-party entry points. The global retailer’s HVAC vendor was the unfortunate contractor whose credentials were stolen and used to steal financial data sets for 70 million customers3.

  • Outdated Security Software: Updating security software is a basic technology management practice and a mandatory step to protecting big data. Software is developed to defend against known threats. That means any new malicious code that hits an outdated version of security software will go undetected.

  • Denial of service (Dos): Direct large amounts of network traffic at systems such as web site to overload them and prevent legitimate users from using them.

  • Hacking: Electronically breaking into an organization system for personal gain, to cause damage, or to gain notoriety in the hacker community.

  • Social engineering: Getting access to confidential information through social interaction.

  • Impersonation/spoofing: Someone gain access to systems by impersonating an authorized user.

  • Malware: malicious viruses that could be used to again access to the system. this could be worm, trojan horse, or spyware.

  • Privacy and theft of intellectual property: This includes legal copying and distribution of intellectual property. Example: unauthorized use of consumer software, stealing credit card numbers

Techniques for protection of data from unauthorized access

  • System access control: this technique ensures that unauthorized users do not get in a system where a sensitive data is stored. this can be achieved by using a strong password, token or biometric to protect the system from unauthorized access

  • There are three factors that can be used for authentication:

  • Something only known to the user, such as a password or PIN.

  • Something that is part of the user, such as a fingerprint, retina scan or another biometric measurement.

  • Something that belongs to the user, such as a card or a key.

Data access control: this method monitors who can access what data, and for what purpose.

Disk encryption: Data encryption means sending data in coding format which can only decode and decrypt by an authorized user or receiver.
Ways of data encryption:

  • Synchronized, and

  • Asynchronized encryption technics.

In DS, disk encryption, in which the whole disk is encrypted is used so that only a person with enough grant can access that data.

Software and Hardware-based mechanisms for protecting data: software-based security solutions encrypt the data to protect it from theft. However, malicious program or hackers could corrupt the data to make it unrecoverable, thereby making the system unstable. Hardware-based security solution can prevent read and write access to data and further offer very strong protection against tampering and unauthorized access.

Data Backup: backing up data refers to the copying and archiving of computer data so that it may be used to restore the original after a data loss event. When a data is backed up, it will be easy to recover when attacked or when lost.

Example: Time Machine is an option that backs up to external hard drives automatically.

Data Masking: this is the process of obscuring specific data within a database table or cell to ensure that data security is maintained, and sensitive information is not exposed to unauthorized users.

Example: Visa and Master Card was development to encourage and enhance cardholder data security and to facilitate the broad adoption of consistent data security measures globally.

Three basic types of data control that provides different levels of protections to the files stored in the system

  • Discretionary access control (DAC): user decides how to control the file.

Example: Google drive. Owner can choose to give read or write access to other users.

  • Mandatory access control (MAC): system controls and protects files in the system.

Example: Hospital owns our health record and they have limit to share it.

  • Role-based access control (RBAS): grant privilege to the file based on a job function.

Example: Bank of America’ employees, every one of them has specific function or role of access bank’s system.

  • Attribute-based access control (ABAC) is a different approach to access control in which access rights are granted through the use of policies made up of attributes working together.

Example: a patient’s primary physician can create and update that patient’s progress note.

  • Rules Based Access Control: access is allowed or denied to resource objects based on a set of rules defined by a system administrator.


Other techniques attackers can use to gain unauthorized access to sensitive data/information

  • Installing malicious software such as Worm, Trojan horse, Rootkit, Exploit, et cetera.

  • Phishing email: sending email to trick users to release a sensitive data.

  • Smashing message: which occurs via text message. This could be done by sending a trick message to get sensitive information. Et cetera.

Products designed to protect data/information from malicious attack

  • Firewall: this protects computer by examining each information packet that travel over the network.

  • Anti-virus: this is basically for detecting viruses that tries to attack the data stored in our system.

  • Intrusion detection system (IDS)/Intrusion protection system (IPS): monitors traffic and events on the network and clients, looking for pattern that might indicate an attack is occurring or has occurred previously.

  1. Information Assurance (IA) is the practice of assuring information and managing the risk associated to the use. Information assurance could be referred to as the necessary steps taken to protect information system against threats such as Viruses, Worm, Phishing attacker, etc. IA includes protecting of integrity, Authenticity, availability, confidential, and non-repudiation of user’s data. Information Assurance (IA) is the process of getting the right information to the right people at the right time.

  • IA include Confidentiality:

Confidentiality is one of the five pillars of Information Assurance (IA) that allows authorized users to access sensitive and protected data. Specific mechanisms ensure confidentiality and safeguard data from harmful intruders.

  • Cryptography

    • Symmetric cryptography: DES, AES, and Triple DES

    • Public key cryptography RAS, and Blowfish

  • IA include integrity.

Integrity is one of the five pillars of Information Assurance that refers to methods of ensuring that data is real, accurate and safeguarded from unauthorized user modification.

  • Checksums:

    • CRC.

  • Codes:

    • Hamming Code

  • Audit logs:

    • Application, Host, and Network.

  • IA include availability.

Availability is one of the five pillars of Information Assurance that refers to the ability of a user to access information or resources in a specified location and in the correct format.

  • Redundancy:

    • Function, Data.

  • Fault tolerance

  • IA include Authentication

Authentication is one of the five pillars of Information Assurance that hat ensures and confirms a user’s identity.

  • Access Control.

  • Biometric: eye scanning, finger print, or voice.

  • Password

  • Public key infrastructure

  • Types: Mandatory and Discretionary access control and Roll based access control.

  • Smart cards and tokens

  • Attribution:

    • Audio logs

How information assurance (IA) process works:

  • It started by enumeration and classification of the information assets to be protected.

  • Perform a risk assessment for those assets.

  • Considers both the probability and impact of a threat exploiting a vulnerability in an asset, with impact usually measured in terms of cost to the asset stakeholders. The sum of the products of the threats impact and the probability of their occurring is the total risk to the information asset.

  • After the completion of above steps then the IA practitioner develops a risk management plan. The plan proposes countermeasures that involves mitigating, eliminating, accepting, or transferring the risks, and considers prevention of thread.

  • Several standard frameworks such as Risk IT, CobiT, PCI DSS, guide them to develop risk management plan.

  • The risk management plan is implemented and tested. if it need any other modification then the whole processes will be repeated.

Several standard organizations which provide standard for the Information assurance (IA,) Such as organization includes:

  • Information Assurance Advisory Council, and

  • The Information Assurance Collaboration Group. Et cetera.

Information assurance vulnerability alert (IAVA): this is an announcement of a computer application software or operating system vulnerability notification in the form of alerts, bulletins, and technical advisories identified by DoD-CERT.

These selected vulnerabilities are the mandated baseline, or minimum configuration of all hosts residing on the GIG.

PROCESS OF IAVA:

  • Identify a system administrator to be the point of contact for each relevant network system

  • Send alert notifications to each point of contact

  • Require confirmation by each point of contact acknowledging receipt of each alert notification

  • Establish a date for the corrective action to be implemented and enable DISA to confirm whether the correction has been implemented.

The essential components of an effective information security program

  • People: people are the most important component of information security and the weakest link in security chain. People are the most important component because, they create techniques on how information can be secured, also, people provides intelligence behind the tools used for protecting data/information such as Firewalls, Anti-viruses, IDS/IPS, Honeyt, et cetera. At the other hand, people can be considered as the weakest link in security chain because they create vulnerability by exposing data/information to computer thieves, hackers, spies, et cetera. This could be done by bribing them in other to give out some sensitive information. People can as well expose a sensitive information through carelessness, probably because they lack adequate training or because of unprofessionalism.


  • Process: processes are like a glue that binds people, technology, and the other components of the information security program. Three key areas of the processes include strategy, components, and administration.

  • Process strategy: this component enables you to create a policy. Before creating a policy, you should determine whether your organization has some existing information security policies, if they had, then evaluate if they are complying with them. You must review the policies periodically and update them to reflect changes in the information security field. You should make the policies understandable to average employers.

  • Process component: To have an effective information security policy, all organizations must address the basic areas: Account administration, Remote access, Vulnerability management, Acceptable use policies, Security awareness, and Emergency response.

  • Process administration: This method deals with details on how security policies will be monitored and enforced. The involvement of the executive staffs in the development and management of information security policies is paramount to the effectiveness of your program.


  • Technology: This can be used to enforce your information security processes and is also considered as an essential component of an effective program. A comprehensive information security architecture is necessary to ensure that your program supports your current and future business model. Defense-in-depth can be used to develop multiple layers of protection within your organization and it offer higher level of protection for your most valuable assets. The most basic security technologies they are required for almost every organization are authentication, authorization, and accounting (AAA).

Two key areas of the Technology include HARDWARE, and SOFTWARE.

Reference

  • Mark E. & Tim M., Symantec press. The Executive Guide to Information Security. (2005)

  • Lehtinen, R., Russell, D., Gangemi, G. T., & Russell, D. CA: O'Reilly media, Inc (2006). Computer security basics (second edition).

  • www.techrepublic.com/article/10-things-you-can-do-to-protect-your-data/

Have a similar question?

Continue to edit or attach image(s).

  • Fast and convenient

    Fast and convenient

    Simply post your question and get it answered by professional tutor within 30 minutes. It's as simple as that!

  • Any topic, any difficulty

    Any topic, any difficulty

    We've got thousands of tutors in different areas of study who are willing to help you with any kind of academic assignment, be it a math homework or an article.

  • 100% Satisfied Students

    100% Satisfied Students

    Join 3,4 million+ members who are already getting homework help from StudyDaddy!